Cybersecurity Faces 1.8 Million Worker Shortfall By 2022

Over the next five years, the number of unfilled cybersecurity jobs will rise to a whopping 1.8 million, a 20% increase from 2015 estimates, according to a new (ISC)2 survey released today.

Driving this widening shortage is not only the often discussed lack of qualified workers but also a greater need to bring in more warm bodies to tackle the rapidly evolving ways that cybercriminals and attackers are launching their nefarious activities, according to the report. It's getting easier for low-tech criminals to get into hacking, thanks to malware-as-a-service operations and crimeware kits.

Another report this week from Cybersecurity Ventures also attributes the immense shortage of cybersecurity workers to the soaring rise in cybercrime, and projected doubling of costs to $6 trillion annually worldwide by 2021. Cybersecurity Ventures is also predicting a much more dire staffing shortfall, with the industry facing a shortage of 3.5 million workers by 2021. While (ISC)2 calculated its data based on a survey of its security pros, CV's report drew from employment data gleaned from media, analysts, job boards, vendors, governments, and other organizations, on job opening data from the past five years.

"For the millions of companies around the globe, this is a real wake-up call," says Ray Rothrock, CEO of RedSeal, in response to the Cybersecurity Ventures data. "But if we can truly understand how our networks are configured and operate, and understand where our vulnerabilities lie, we'll be prepared to better respond to attacks, protect our networks, and prevent a breach - even in the face of a skilled labor shortage crisis."

Hard Figures

(ISC)2's Global Information Security Workforce Study, which queried 19,000 cybersecurity professionals worldwide, found 66% of survey respondents feel they do not have enough employees to address the increasing level of threats coming their way. That figure was up from 62% in 2015.

North America had the greatest number of understaffed organizations, with 68% feeling the pressure. Latin America and also the Middle East-Africa followed, with 67% each, respectively.

While North America topped the list of regions with the most understaffed IT departments, in Europe, hiring managers expect to bump up their workforce by 15% or more.

"The forthcoming EU General Data Protection Regulation (GDPR) that was adopted on April 27, 2016, creates challenging data protection requirements for all individuals within the European Union. Consequently, there is heightened awareness throughout the EU about the need for cybersecurity professionals," says David Shearer, CEO of (ISC)2.

He added that the GDPR's compliance deadline of May 25, 2018, is fast approaching and that hiring plans throughout the EU are likely to be accelerated.

Pain Points Pinpointed

Among the various reasons why the cybersecurity labor shortage continues to increase, the issue of finding enough qualified workers topped the list, at 49%.

More than half of respondents in North America cite a lack of qualified workers as the main reason for their shortage of staff, a statistic that at first blush may seem surprising given the number of prestigious colleges and universities that offer IT degrees. Meanwhile, cybersecurity undergraduate programs are still less common than traditional computer science degrees.

"We could be focused on the wrong problem in thinking the dearth of talent within the industry is directly linked to the lack of technical colleges and universities producing STEM graduates," (ISC)2's Shearer says. "It may very well be that we’re not doing a good enough job of making the case to students that cybersecurity can be a rewarding career path from monetary, job stability, and a sense contribution perspectives."

When it comes to the greatest threats that worry IT security professionals, data exposure topped the list for cybersecurity professionals in North America (35%) and the Asia-Pacific region (37%), while hacking was the greatest concern in the Middle East-Africa region (47%). Ransomware loomed largest on the minds of 44% of survey respondents in Latin America and 28% in Europe, according to the (ISC)2 report.

Operations and security management talent is one of the most in demand, with 62% of survey respondents worldwide wishing for more people in those positions, according to the report. The second-most sought-after role was in the incident and threat management and forensics area, at 58%.

Shearer says it's important to keep in mind, however, that there remains a lack of consistent job titles within the international cybersecurity profession.

Solution Under Your Nose?

Despite growing concern there are not enough qualified cybersecurity officials to fill the millions of available IT security jobs, the solution may actually be within arms' reach - literally.

It turns out that 87% of cybersecurity officials worldwide came to the industry from another career, according to the report. And yet, according to Dark Reading's Surviving the IT Security Skills Shortage report, 58% of those surveyed indicated that prior experience defending a similar company or similar data was a key qualification in the hiring process.

While many cybersecurity professionals came from other areas within IT, according to the (ISC)2 report, 30% worldwide launched their cybersecurity career after holding a non-technical role such as in business, accounting, or marketing.

Some organizations point to training and certification as a way to beef up the cybersecurity ranks with non-technical workers, or even IT workers who come from outside of security.

"Training and certification are vitally important to developing skills that today’s cybersecurity professionals need. Looking outside traditional recruitment avenues is another viable solution – looking for those with more non-technical backgrounds," Shearer notes. "Some organizations are establishing developmental paths for entry-level candidates to deal with workforce capacity and succession planning."

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Even if you were to successfully address the labor shortage of qualified and experienced Cybersecurity professionals, due to the white-hot market for individuals with the right skills, you will immediately inherit employee retention issues. The stability and 'stay-ability' of the desirable talent is very likely to be lured away for more money, the promise of sponsored certifications, trips to Blackhat/Defcon and advancement opportunity.

InfoSec resources definitely come from a wide variety of backgrounds. I've worked with ex-cops, ex-lawyers, ex-history professors, and so on. My background is - professionally, at least - in software as a build and release, and test engineer. While I'm currently a security lead embedded in an app development team, even now security isn't my primary role. In fact, I've had opportunities to get out of my software dev role and focus on security but the pay and benefits didn't outweigh those of my current gig.

Now, I'm sure it's surprising to some I work with to learn I have pentesting skills, can build Tor servers and nodes, have a deep practical understanding of cryptocurrency and have researched everything from undetectable honeypots to a distributed computing-driven traceroute infrastructure for generating realtime network topology snapshots. But none of this is interesting when you consider 50 hours of my work week is focused on everyday development lifecycles for standard app features. My preference would be to put my technical skills toward something I love and find endlessly fascinating, but when you compare the InfoSec work week to its pay scale (and I mean practical engineers who program tools on the fly, track intrusion realtime and patch in response to exploits) you often find a huge gap.

One of the things that keeps me in my current role is the combination of industry competitive pay, benefits and the regular opportunity to get certified on the company's tab. Working somewhere that gets the value you bring, understands the hours needed to do quality work and provides opportunities for work/life balance is hard to measure. And for many of the smaller InfoSec groups that have reached out, this just didn't seem to be the case. Frankly, I suspect a large number of hiring managers don't understand the day-to-day activities of an InfoSec tech. The 24/7 availability requirement is only one aspect of this reality. There needs to be a resource balance to allow relaxation, but also flexibility to allow techs with families to work after hours when needed, the tools to pull out a mobile device and work when in line at Disneyland on the weekend, and the pay scale to make all of it attractive.

Until the pay is more competitive, the tools provided the best they can get to provide maximum computing power and mobility, and access to company-sponsored certifications becomes the norm, I don't think as many with the skills companies really want to hire are going to be lining up. This may be just a small factor in the equation, but for me it was the primary one. And I work alongside lots of far more talented hackers who also settled for the next-best role for the same reasons. Maybe it's good, though. That means embedded InfoSec junkies like me can help add a layer of security responsibility that might not have been there before since... well, since companies aren't hiring teams of us.

Many more cybersecurity workers are needed and they will probably find lifetime employment somewhere. But I suspect we won't make any real headway when it comes to protection until automated systems learn enough to start doing some of the work for us.

While some folks are needed msot of this is to cover for massive use of best practices. it takes a lot of people to patch avoidable holes in the dyke.

Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity. Why isn't it being addressed? Lack of Courage.

The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It's the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).

Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. Often this is meant to purposefully deceive C-Suite and above. This puts everyone at risk.

Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?

Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. And having local admin permissions available on laptops and end points and not knowing where they all are either.

Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don't help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don't specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.

This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line.

This issue has at least 2 sides; the vendors' and the customers'. There may be a shortage of cyber skills but on which side? Today, there is an unfair load placed on he customer when it should be borne mostly by the vendor. The vendor sells products and services in a basically open (insecure) environment, the internet and should shoulder most of the responsibility, along with WWW and other authorities for safety with some responsibility resting on the customer (user). When I fly, I am not expected to provide my own life jacket and oxygen. It is the airlines' job to make sure aircraft are fundamentally safe and that flying in them safe too. I will, of course, do my bit when instructed by the crew.

What is needed is a security ARCHITECTURE for crucial internet access, It will involve changes to the hardware and software components, at especially the attack points (DNS, SNMP, email etc, etc,), Windows and associated hardware would have to provide new, critical information about 'mal-users' and support a new authentication and authorisation sub-architecture. Who should do this? It should be initiated at government level, using appropriate standards bodies and specialists to specify this architecture. In the old (70s/80s) days, IT vendors usually had to comply at level C2 of the US Orange books specs; there were higher, more secure levels too. The rules were simple: no comply, no business. Anyone using the net who isn't identifiable via this new architecture, or non-compliant, should be visible, trackable and excluded or prosecuted.

An equivalent Orange book and 'C2'-type mandate is needed for the net. I have tried to get various cyber security gurus and major figures who recognise this and to support such an initiative, to no avail. It is a case which parallels Mark Twain's famous whinge: 'Everybody is talking about the weather, nobody is doing anything about it'.

The malware hits so far in 2017 exceed the total for 2016 and when it hits the roof by end 2017, I will probably name and shame the people who have voiced concern (usually for personal gain) and done nothing. It's going to be a fun year. The onus must be lifted from the users' shoulders and maybe the need for millions of cyber security people will reduce considerably when protection is mainly automated via this architecture and SW/HW changes.

There are government and other initiatives around now but with little or no cooperation and all chasing in different directions, a sure recipe for a dog's breakfast solution if they ever get one).

Agreed with the other poster above. It's an interesting snap shot, but it would be interesting to provide more context related to actual, dedicated resources and money at companies that is currently earmarked for security and going unspent due to a lack of employees.

We've seen these headline figures for a few years now, but what's unclear is who is actually providing the numbers. It seems to me that in many cases it is 'IS professionals' saying we need more people to man the barricades because there is more to be done than we can currently cope with. But that sentiment can be found in everything from law enforcement, through nursing to teaching and beyond. Everyone has too much to do and not enough resources to deliver.

The two questions that I've not seen answered are "how many unfilled vacancies are there" (ie companies want to recruit but can't) and "how many people want to enter the industry but are unable to" (ie they have the skills or want to gain them but there are no jobs to apply for).

The former tells us we need to develop more people (demand over supply), the latter probably suggests the supply is there but there is no demand.

Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.